NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Bridge 2 Networks with SRX5308 Help
Hello, Here is what I am trying to accomplish.
Building A - 192.168.0.x
Building B - 192.168.1.x
I have a ubiquiti wifi antenna that is connecting both buildings for the SOLE purpose of building B, accessing building A's NAS Drive, 192.168.0.10
I have been told a bunch of how to scenarios, but i cant get it working right as in segmenting each network separate so both DHCP servers do not conflict. I want both networks to remain independant, only a handful of PC's at building B to access the Nas Drive at building A.
(A VPN was not able to accomplish this fast enough, even with Gigabit Internet, SMD doesn't like VPN's).
So i was told on the srx5308 to plug one of the antenna's into one of the Quad WAN Ports, lets say Wan2.. Give it a /29 IP Address. Then do the same on the other building (which has a non-netgear firewall).. but for now lets concentrate on the setup in building B with the Srx5308.
This is what i was told:
- On the SRX5308 plug the bridge into one of the spare WAN ports and assign a small subnet (e.g. 172.16.10.1/29). Page 127 of the manual tells you how to setup static routes.
Problem is, the srx5308 won't let me do this unless i put in a gateway and dns servers on the Wan2 port as far as i can tell. Also do i turn on DHCP on that /29 range or leave it solo and static the IPs in it..
Fwiw, i had this working buy just plugging everything in and using IP ALias's on the windows machines, but the dhcp servers on both ends could obviously not coexist.. I need to keep the network separate but have this one tunnel to get to that nas drive thru the antenna connection (the buildings are approx 900 ft away, the antennas work very very well).
Appreciate any assistance.
I got it working. Thanks to c3po2 for the guided assistance.. In a nutshell here is what i did. My brain was cramping for days with this.
The First Key, was properly setting up the VLAN's on Both Firewalls. In the SRX5308, I created VLAN20 with the IP 172.16.10.1/29 located in Building A. Building B TPLink ER605 I created VLAN20 with the IP 172.16.10.2/29. The SRX5308 VLAN, has Inter-Vlan Routing box enabled. *Note - The Ubiquiti Nano 5ac Antenna is plugged into LAN 3 on the SRX5308.. NOT the Wan port. Shown below are the settings for the VLAN (called CBBridge). As you can see also, i only have Port 3 checked off, where the Antenna is plugged into.
Next the Routing on the SRX5308 shown Below. The cavieat that i didn't figure out til i tried it, was the Gateway. I kept thinking the 172.16.10.1 IP of the Vlan on the SEX5308 was the one to use, i was incorrect. I had to use the 172.16.10.2 gateway, which is the IP of the VLAN on the TP Router in Building 2. Before i figured that out, i was able to ping things using the internal diagnostics of both firewalls, but unable to get the Lan to ping (which the routes fixed).. Here is that config.
This is the routing i setup, which is a single static route for the people at building A to get to building B's Nas drive.
On Building B's side, this is the setup. (TPLink ER605)
This is the static route i created on the TP Link so the Building A network can communicate to the Building B LAN thru what i called "UbiquitiBridge" VLAN.
As you can see, its routing all the 192.168.1.1 traffic thru 172.16.10.1 which is the gateway of the VLAN on the SRX5308 in Building A.
Now, all the machines that have mapped drives to the NAS Share at Building B are operating at full gigabit speed, and I am extremely happy.
Thanks to everyone for the help, and guidance. I hope this can help others who need to do the same thing.
*Note - while i haven't yet gone on site to make sure both DHCP servers are not in any way messing with anything, i created a ALWAYS BLOCK rule on the SRX5308 to Block UDP port 67 from the IP range of the VLAN.*
24 Replies
Congratulations on finding solution by yourself, as you see, this is not "simply" task at all, it takes a lot networking knowledges to make it work :)
Thank you much, and Kudos and Thanks for your time and everyone's time and support. Really helped a ton.
I got it working. Thanks to c3po2 for the guided assistance.. In a nutshell here is what i did. My brain was cramping for days with this.
The First Key, was properly setting up the VLAN's on Both Firewalls. In the SRX5308, I created VLAN20 with the IP 172.16.10.1/29 located in Building A. Building B TPLink ER605 I created VLAN20 with the IP 172.16.10.2/29. The SRX5308 VLAN, has Inter-Vlan Routing box enabled. *Note - The Ubiquiti Nano 5ac Antenna is plugged into LAN 3 on the SRX5308.. NOT the Wan port. Shown below are the settings for the VLAN (called CBBridge). As you can see also, i only have Port 3 checked off, where the Antenna is plugged into.
Next the Routing on the SRX5308 shown Below. The cavieat that i didn't figure out til i tried it, was the Gateway. I kept thinking the 172.16.10.1 IP of the Vlan on the SEX5308 was the one to use, i was incorrect. I had to use the 172.16.10.2 gateway, which is the IP of the VLAN on the TP Router in Building 2. Before i figured that out, i was able to ping things using the internal diagnostics of both firewalls, but unable to get the Lan to ping (which the routes fixed).. Here is that config.
This is the routing i setup, which is a single static route for the people at building A to get to building B's Nas drive.
On Building B's side, this is the setup. (TPLink ER605)
This is the static route i created on the TP Link so the Building A network can communicate to the Building B LAN thru what i called "UbiquitiBridge" VLAN.
As you can see, its routing all the 192.168.1.1 traffic thru 172.16.10.1 which is the gateway of the VLAN on the SRX5308 in Building A.
Now, all the machines that have mapped drives to the NAS Share at Building B are operating at full gigabit speed, and I am extremely happy.
Thanks to everyone for the help, and guidance. I hope this can help others who need to do the same thing.
*Note - while i haven't yet gone on site to make sure both DHCP servers are not in any way messing with anything, i created a ALWAYS BLOCK rule on the SRX5308 to Block UDP port 67 from the IP range of the VLAN.*
I think i got it working.. Holy Moly.. I will write up my musings shortly.
More headway.. Both routers are able to ping eachother over the VLANs now. 172.16.10.1 (Netgear) and 172.16.10.2 (TP Link) can ping eachother from Themselves in the diagnostics, but I cant ping from the LAN machines... So i assume its a routing thing that im trying to figure out..
I did below experiment on two NETGEAR PR60X routers, you may be able to achieve same with your existing hardware, below is just showing how it may work in principle for your reference, you may need extra configuration to restrict access between two buildings:
Router A: LAN1, LAN2, LAN4, LAN5 untagged for VLAN1 with DHCP enabled 192.168.1.1, LAN3 untagged for VLAN10 with DHCP disabled, set static IP of 192.168.10.2
Router B: LAN1, LAN2, LAN4, LAN5 untagged for VLAN1 with DHCP enabled 192.168.2.1, LAN3 untagged for VLAN10 with DHCP enabled 192.168.10.1
I used an Ethernet cable to connect LAN3 ports together to simulate your wireless bridge.
Simplest settings to get access:
Router A: Enable inter VLAN routing, add static router for 192.168.2.0 through gateway 192.168.10.1 on VLAN10
Router B: Enable inter VLAN routing, add static router for 192.168.1.0 through gateway 192.168.10.2 on VLAN10
With above settings, Router A and B LAN can access each other, extra traffic rules are needed to block unwanted traffic.
Im thinking out loud here... So, Building B is able to see and connect to everything at building A... Im wondering if i should just swap the antennas? Maybe there is a serer/client thing with the antennas i didnt know about.. But also weird, im able to ping to anything at A on the LAN setting under the ping tester, not the VLAN Group i created.
This is where i stand now.. So the SRX5308 seems to be working.. I can ping 172.16.10.1 and .3 (.3 is the management interfece of the antenna) and access it from chrome without having to use an IP Alias.. So intoher words the routing is working there..
Now on the other side, in building B, i created a VLAN with the IP 176.16.10.2 .. I can not ping it from building A. Oddly enough when i went into the ER605 i was able to ping everything in building A thru its disgnostic ping tests. I have both VLAN's on the ER605 set as "Normal" not Bridged.
Thanks so much i think im headed in the right direction.. I setup a config similar to this setup.. I have the Antenna of A in Lan port 3. Created VLAN 20 on The SRX5308 with the ip 172.16.10.1/29. I am now, from Building A's LAN can ping and access the management interface of the Antenna at 172.16.10.3... In the Vlan setup i have all 4 lan ports selected (on both Vlan 1 and Vlan 20), and turned on Inter-Vlan Routing on Both Vlan interfaces.. (I only had it on Vlan 20 before)..
So now it looks like the Vlan is working correctly on the netgear... when i go a trqacert to say 192.168.0.10, the first hop is correct its the srx5308 at 192.168.1.1, but then it looks like its not going to the gateway (Vlan20)'s iip at 172.12.10.1 as the second hop.. Before it was taking the second IP out to the Net, which was incorrect... So im gettin closer. I have to check the config on Building B's router- now
ade some headway, I am now able to get into antenna A at 172.16.10.3 on the LAN at Building A (Used an ip alias to get into it), positive movement. Btw i plugged it back into the LAN port on the SRX5308.
I'm losing faith in this working. 3 days at this and after many resets, step backs and such, i just can not figure out something that "supposedly" is simple to accomplish. I have one of the antenna's now management ip is 172.16.10.3 and i can't ping it or even see it on the LAN (even tho it shows connection is fine to the other antenna from building B's antenna GUI).. This is a nightmare.
Here is a proper topology of the networks
, sorry for the confusion. I'm still trying to make this work and im just pinning my tires.
I can not get Wan2 to take the IP address 176.12.10.1/29 ... It asks for a gateway/dns servers in the Wan Setup.,. Dunno what to put there, and it never accepts the IP...
Ok i stopped by the office and i have switched the Antenna at Building A (Srx5308) to the WAN2 Port on the firewall to see if i can get that setup properly as the static route. I am unsure if i have to configure it in WAN2 as ISP or Secondary Address...
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
